Check page permissions when downloading attachments.

horde · Sep 21, 2017 · 58197ca · 58197ca
1 parent f3c28d8
commit 58197ca
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/wicked/lib/Application.php b/wicked/lib/Application.php
@@ -149,10 +149,14 @@ public function download(Horde_Variables $vars)
     {
         global $wicked;
 
-        $page = $vars->get('page', 'Wiki/Home');
+        $pageName = $vars->get('page', 'Wiki/Home');
+        $page = Wicked_Page::getPage($pageName);
+        if (!$page->allows(Wicked::MODE_DISPLAY)) {
+            throw new Horde_Exception_PermissionDenied();
+        }
 
-        $page_id = (($id = $wicked->getPageId($page)) === false)
-            ? $page
+        $page_id = (($id = $wicked->getPageId($pageName)) === false)
+            ? $pageName
             : $id;
 
         $version = $vars->version;